Tech

Shellshock: The 'Bash Bug' That Could Be Worse Than Heartbleed

Security researchers have discovered a vulnerability in the system software used in millions of computers, opening the possibility that attackers could execute arbitrary commands on web servers, other Linux-based machines and even Mac computers.

Some researchers say Shellshock, which affects an application called Bash (which is why it's often simply called the "Bash Bug"), is potentially more serious and widespread than the Heartbleed bug discovered in April, though the two vulnerabilities are quite different in nature.

Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn't appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.

Devices use Bash, which is Unix software, to execute "shell" commands; a shell is a program that translates your commands into something the device's OS can understand. Typically, the shell needs to check information separate from the command, such as what software is running, to do its job. What Shellshock does is open a way for hackers to add some malicious information into that process.

A test performed on a Bash shell on a new MacBook Air revealed the computer is vulnerable to the newly discovered Bash Bug.

Image: Stan Schroeder, Mashable

Shellshock was made public on Wednesday. A patched version of Bash was quickly made available. However, Red Hat's security team has already confirmed that the patch is incomplete.

What makes this particular bug problematic is the fact that Bash is the default shell in Mac OS X and many Linux machines, meaning it's also used in many web servers. I've tested Bash on my own MacBook Air, and sure enough, it is vulnerable (see the image above).

Much worse is the fact that a lot of applications invoke Bash for many different reasons, opening the path for a number of different ways to exploit this vulnerability.

Red Hat's security team, which first found the vulnerability, explains this: "This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such."

Several security experts, including Jim Reavis from Cloud Security Alliance Robert Graham from Errata Security claim the Bash bug is potentially as big or even bigger than Heartbleed, a vulnerability in the OpenSSL cryptographic software library that was discovered in April.

Graham performed a scan for the vulnerability on a number of web servers, easily finding 3,000 systems (and potentially many more) that are vulnerable.

To mitigate this threat, web server administrators should make sure they have the latest version of Bash. For the common user, the patching process is described over at StackExchange, but be warned — it does require a certain level of command line-level knowledge to be applied.

What Is The Heartbleed Encryption Bug?

Mashable
is a global, multi-platform media and entertainment company. Powered by its own proprietary technology, Mashable is the go-to source for tech, digital culture and entertainment content for its dedicated and influential audience around the globe.